hcxtools - solution for capturing wlan traffic and conversion to hashcat formats
We can find PSKs in the clear in PROBEREQUEST and EAP-ID frames.
Your guess that confused users typing their PSK instead of the ESSID is correct. But we can find much more PSKs than this typo related ones. So it could be related to misconfigured/damaged config files and/or IoT devices.
Unfortunately we can't ask the user what he has done or take a look at his wpa_supplicant.conf.
So if someone has an idea why this happens, please let us know.

Running hcxdumptool 24/7, it is possible to recover the PSKs from 10% of the captured handshakes by this method.
Code:
$ sudo -i interface -o dump.pcapng --tot=1440 --bpfc=own.bpfc --disable_deauthentication --disable_ap_attacks --active_beacon -c 1,9,6,3,11 -t 3600
We choose 3 crowed channels and 2 less crowded channels for this attack.
We disable all AP attacks.
We stay a longer time on a channel to make sure every CLIENT will find us.
Please notice:
That depend on how much CLIENTs hcxdumptool attacked/received and on the attack mode:


A nice example is here (converted to old pcap, to allow old scool tools to read it, too) :
https://github.com/evilsocket/pwnagotchi...-598597214

BTW:
hcxpcapngtool will detect if this kind of frames is missing in a cap/pcap/pcapng file and print a warning:
Code:
summary capture file
--------------------
file name.................................: dump.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 19.01.2021 21:47:23
timestamp maximum (GMT)..................: 19.01.2021 23:08:33
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105)
endianess (capture system)...............: little endian
packets inside...........................: 110524
BEACON (total)...........................: 1
ACTION (total)...........................: 4
PROBERESPONSE............................: 9
DEAUTHENTICATION (total).................: 32640
AUTHENTICATION (total)...................: 3
AUTHENTICATION (OPEN SYSTEM).............: 3
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
WPA encrypted............................: 21324
EAPOL messages (total)...................: 4
EAPOL RSN messages.......................: 4
ESSID (total unique).....................: 1
EAPOLTIME gap (measured maximum usec)....: 10789
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 1
EAPOL M2 messages (total)................: 1
EAPOL M3 messages (total)................: 1
EAPOL M4 messages (total)................: 1
EAPOL pairs (total)......................: 2
EAPOL pairs (best).......................: 1
EAPOL M32E2 (authorized).................: 1

Information: no hashes written to hash files

Warning: out of sequence timestamps!
This dump file contains frames with out of sequence timestamps.
That is a bug of the capturing tool.

Warning: too many deauthentication/disassociation frames detected!
That can cause that an ACCESS POINT reset the EAPOL TIMER,
renew the ANONCE and set the PMKID to zero.
This could prevent to calculate a valid EAPOL MESSAGE PAIR
or to get a valid PMKID.

Warning: missing frames!
This dump file does not contain undirected proberequest frames.
An undirected proberequest may contain information about the PSK.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it hard to recover the PSK.

Warning: missing frames!
This dump file does not contain enough EAPOL M1 frames.
It always happens if the capture file was cleaned or
it could happen if filter options are used during capturing.
That makes it impossible to calculate nonce-error-correction values.
Reply


Messages In This Thread
wlandump-ng vs hcxdumptool - by hulley - 02-10-2018, 10:26 PM
RE: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats - by ZerBea - 01-23-2021, 10:48 AM